GDPR Compliance 31 January 2022

GDPR (European General Data Protection Regulation) is a set of regulations in force from the 25th May 2018.  These rules have been created to strengthen and protect the personal data of European Union (EU) data subjects, and are designed to cover the rights of EU residents and citizens in terms of privacy, the protection of personal data, security of that data, and consumer consent in a world of increasing data flow between businesses and consumers across the world.

If you store and process data of anyone located in the EU or communicate with them then you are required to be GDPR compliant regardless of where you are based geographically.

Strong privacy, data protection and security are important to us and we are committed to adopting the policies of GDPR.

1. GDPR Compliance

Tall Bob has undertaken a review of its data collection, storage and security arrangements and has implemented various system changes to reflect the data security and privacy principles entrenched by GDPR, including individual’s right of access and right to be forgotten.

Tall Bob understands the fundamental importance of data security and privacy to its customers and end users of its services, and will continue to review and update its systems and compliance policies and procedures following the commencement of the GDPR.

2. Tall Bob as a processor

Tall Bob provides a service for the sending and/or receiving of messages, principally by way of SMS, and hosting and storing rich media. For the purposes of GDPR, when providing this service to customers, Tall Bob acts as a processor.

3. Subject matter of processing

The subject matter of Tall Bob’s processing activities for GDPR purposes comprises the provision of a service for customers to send messages and to deliver visual content to, and/or receive messages from, end users.

4. Nature and purpose of processing

Messages and rich media content are processed by Tall Bob strictly in accordance with customer instructions and otherwise in accordance with the requirements of relevant laws, for the purposes determined by the customer.

5. Type of personal data processed

For the purposes of GDPR, Tall Bob’s customer will be the “controller” in relation to personal data that is processed and will thus have control over the types of personal data processed. Tall Bob processes only that data (which may include personal data) that is transmitted in the course of sending/receiving messages and displaying on landing pages and surveys in accordance with the controller’s instructions. Personal data processed include source and destination telephone number and, depending on message content, may include other personal data.

6. Categories of data subjects

As the “controller” for GDPR purposes, Tall Bob’s customer necessarily has sole control over the specific categories of data subjects that may be the subject of processing by Tall Bob.

7. Level of risk associated with processing

Typically, the personal data that Tall Bob processes and the circumstances in which such data is processed, would be unlikely to result in significant harm to a data subject in the case of a data breach, however any assessment of risk associated with a potential data breach necessarily depends upon the types of personal data transmitted in the course of execution in accordance with the controller’s instructions and the context in which that data is processed.

8. Where is the personal data stored

Personal data is stored in data centres located in Australia.

9. Who has access to the personal data?

Access to personal data stored by Tall Bob is restricted. Specified customer and technical support personnel have limited access for the sole purpose of performing the services that Tall Bob is contracted to perform and to address any customer queries arising out of the performance of those services.

Tall Bob may provide personal data to aggregators to facilitate the provision of the messaging services. Aggregators (who constitute sub-processors for GDPR purposes) will be engaged by Tall Bob pursuant to a GDPR compliant contract.

10. How long do we store personal data?

Tall Bob retains personal data processed by it in the course of providing its services to its customers for the period of time necessary to enable it to complete the processing it is contracted to provide or as otherwise required to comply with its legal obligations, including its requirements to retain certain metadata for 2 years under the Telecommunications (Interception and Access) Act 1979 (Cth).

11. Exercising of rights afforded by GDPR

Tall Bob recognises the rights that are granted to EU residents under the GDPR and will take appropriate action to ensure that those rights are actioned upon request. Any EU resident seeking to exercise a right in respect of their personal data should contact our support centre on 1300 06 409. Tall Bob is committed to ensuring the security of personal data is maintained, and accordingly, any person making a request in respect of their personal data will be required to provide satisfactory evidence as to their right to do so (which may include, for example, their identity and EU residency).